chinese_generic_botnet | 3d2ced1b815c6aa31457030af8e4255dfb1b06d6b583a747e15272530824a6fa

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-02-2022 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

demoo.dll
Size

3.3MB
MD5

1af9024e05e21428386247905f59a7ab
SHA1

1802f64add91791808262bb60984424f95f28e2e
SHA256

3d2ced1b815c6aa31457030af8e4255dfb1b06d6b583a747e15272530824a6fa
SHA512

3171177b8aa8c7cc7354231f512879ef86c8c81c3784a38837852c1f80efa45a560ba2ddafb17fc5002bb8bfdb1b1ed3cb1de5cd933e5e167a0c7a1727c39cb4

Score

10^/10

chinese_generic_botnet botnet vmprotect

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet Payload 1 IoCs

botnet

resource	yara_rule
behavioral2/memory/2136-132-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet

Blocklisted process makes network request 8 IoCs

flow	pid	Process
9	2136	rundll32.exe
27	2136	rundll32.exe
34	2136	rundll32.exe
46	2136	rundll32.exe
47	2136	rundll32.exe
49	2136	rundll32.exe
50	2136	rundll32.exe
51	2136	rundll32.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2136-130-0x0000000074F70000-0x000000007545E000-memory.dmp	vmprotect

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4772	svchost.exe
Token: SeCreatePagefilePrivilege	4772	svchost.exe
Token: SeShutdownPrivilege	4772	svchost.exe
Token: SeCreatePagefilePrivilege	4772	svchost.exe
Token: SeShutdownPrivilege	4772	svchost.exe
Token: SeCreatePagefilePrivilege	4772	svchost.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe
Token: SeRestorePrivilege	2504	TiWorker.exe
Token: SeSecurityPrivilege	2504	TiWorker.exe
Token: SeBackupPrivilege	2504	TiWorker.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2136	1964	rundll32.exe	82
PID 1964 wrote to memory of 2136	1964	rundll32.exe	82
PID 1964 wrote to memory of 2136	1964	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\demoo.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\demoo.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-130-0x0000000074F70000-0x000000007545E000-memory.dmp

Filesize
4.9MB

Download
memory/2136-132-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4772-134-0x00000260A8E20000-0x00000260A8E30000-memory.dmp

Filesize
64KB

Download
memory/4772-135-0x00000260A8E80000-0x00000260A8E90000-memory.dmp

Filesize
64KB

Download
memory/4772-136-0x00000260AB530000-0x00000260AB534000-memory.dmp

Filesize
16KB

Download